Chaordic Mind

History and Background

I’ve been deeply involved in the creation and maintenance of the PCI standards and framework since their initial inception.  Not only did I perform one of the first CISP assessments, I also wrote the framework for what is now the PA-DSS and performed the first PABP assessment ever.

I’ve been more than an implementer.

For a few years I trained all Qualified Security Assessors (QSAs) globally, and trained thousands of merchants, processors, and acquirers globally.  This experience taught me more than I could ever have hoped for because it instilled in me a deep understanding of the complexities within what we commonly refer to as the payment card industry (PCI).

Payments are complex, organic, and sometimes legacy systems that are complex enough in the US when you consider the various acceptance channels, networks for credit vs debit, payment channels, issuers/acquirers, payment gateways, point of sale software, third-party processors, and millions of merchants that vary in size from 5 transactions per year to 500 million.

Now take that and multiply it by a few hundred since each country has their own nuance issues.  These include everything from a single-acquirer model in Central and South America to the multi-acquirer models in Spain, Italy, and other European countries.  In S. Korea you use your banking information, not your payment card for e-commerce transactions.  In Brazil many merchants have a different payment terminal for each type of payment card they accept.  It’s not nearly as simple as we would like to imagine.

Bottom line: the industry is complex and any hack can find a loophole where a single standard may not apply to everything.  It is important therefore to move beyond the literal wording and see the intent behind the PCI standards.

Tradeoffs

No matter how smart you think you are, there is no simple solution.   It’s all a matter of tradeoffs, and my goal is to help you understand what some of those tradeoffs are.  Let’s look at a few examples:

1. Scope Reduction
   • You can deploy a Magtec encrypted card reader to encrypt all card present transactions in a tamper resistant security module (TRSM) hardware device so the data is not decrypted until it reaches your payment processor.  This could remove your card present transactions from the scope of PCI.
   • You can leverage Akamai Edge Tokenization to prevent payment card data from ever hitting your e-commerce environment.  This could remove your card-not-present transactions from the scope of PCI.
   • Perfect, right? It’s all about tradeoffs.  You remove the need for PCI compliance and simultaneously remove the ability to use that data for other business processes.  Securing data is always a matter of tradeoffs.  I call this Newton’s Second Law of Data Security. For every action there is an equal and opposite business reaction.
2. Data Breach vs Fraud Costs
   • One of the things that boggles my mind is that cardholders end up placing blame on their card issuing bank when they experience fraudulent activity on their payment card.  It wasn’t the bank that exposed your data in a data breach.  Instead it was more likely a merchant on the other side of the payment landscape that was breached and now it’s your bank who is absorbing the costs.  This is the digital equivalent of your neighbor’s house getting broken into and you paying for all the damage.  No matter how secure you make your house they continue to leave their house insecure and you continue to pay for damages. WTF?
   • The PCI standards were meant for the merchant acquiring side of the payment landscape to encourage these merchants to secure their house and thus reduce the amount of fraud occurring in the system.
   • In the United States we have mandatory data breach laws which mean the compromised merchant is required to notify the cardholder that a breach has occurred.  While some merchants may choose to ignore this, others simply cannot notify.  E-commerce merchants may have your name, address, and phone number but card-present merchants may only have your card number and no real way to notify you in the event of a data breach.  Individual state laws permit the merchant to make a local or national announcement but who is to know if you will ever hear about it?  Now, one person does have your name and address — the Issuing Bank — but they cannot disclose information related to a data breach due to non disclosure agreements they have in place.  I’d like to see a world in which compromised merchants either notify me or permit the issuing bank to notify me on their behalf.  Which brings me to my next two laws:
     • Mike’s Data Breach Rule: “They who expose my data should be the one to notify me.”
     • Mike’s Data Breach Corollary: “If they who expose my data cannot notify me, they should permit another org to do so on their behalf.”
3. Magnetic Stripe vs Chip and PIN
   • For decades people have been proposing complex technologies that could “solve” the fraud problem within the PCI industry — most of them including some form of one-time-use payment card number.  I roll my eyes and remind the reader to re-read the complexity section above.  Sure, we can issue everyone a one-time use card number but this necessitates all transactions be on-line.  Suddenly we begin to see the problem with tradeoffs wherein you cannot make purchases in airplanes, or even in retail stores that go offline.  It is the desire of the merchant community to maintain support for multiple payment methods and options because nobody wants to be told they cannot accept a payment.
   • Still others cry mutiny at the banks that they claim are forcing a legacy technology on the merchant community called the “magnetic stripe.”  Again, not true.  Remember that the cost of upgrading all payment terminals in the US to support Chip and PIN is not a cost to be borne by the issuing banks who give you the card but by the acquiring banks and every small merchant in America.  Think this would be easy?  Consider for a moment that just the payment card system for a gas (petrol) station can cost upwards of $75,000 per pump!  That does not include the back-end software required to manage the pumps and transactions.  Now consider that every merchant of every type and complexity needs to upgrade their systems.  Oh, it will happen, but it’s not the banks forcing legacy card technologies; the reason we have not moved to Chip and PIN faster is due to resistance from the merchant community.
   • Read more details here: The Real Deal on Chip and PIN (EMV) in the US.

What Makes You So Special?

That said, even with all the complexity of the various payment types and globalized networks — the variances in how data breaches occur is getting smaller and smaller.  This past week I spoke with a globe trotting PCI Forensic Investigator who told me that people always ask him, “so what fraud patterns do you see in your area of the world?” He replied with, “the same ones you see in yours and others see in theirs!”

Yes, there are variances.  As you chase the attackers out of one vector they move on to another.  Block card present, they move online.  Block online, they move upstream.  Block upstream, they move downstream.  At the end of the day, they tools are different but their target and intended goal is always the same.  So how do we defend against this ever present threat?  Scope reduction, data surrogacy, and data deprecation are some but we almost always have some data to protect, and thus a baseline for securing that data.

One thing the Verizon PCI Report taught me is that organizations focused on compliance as the only goal tend to achieve that goal and then regress immediately thereafter.  In my opinion, organizations that take a continuously improving capability and maturity model towards information security tend to regress less.  Instead of seeing compliance as a goal these organizations see compliance as a byproduct of a solid security program.

I believe in PCI compliance and the need for it (see also: regulation-deregulation cycles), but as many others have echoed — compliance is only a minimum — it is a baseline that we should continue to strive beyond.  If you feel that point-in-time compliance is the only thing you need, let me know so I can stop providing you my data to expose.

Recently the large story to hit the news, the thing people are all reading and writing about, is the story about how 1 guy (and 2-5 accomplices) were able to steal 130 million payment-cards in over three years, and finally got caught.  The question is, what if Albert “Segvec” Gonzalez (aka. Cumbajohnny) is an outlier?  A statistical anomaly.

Facts of the Case

Rich Mogull has a good overview of the indictment.  Wired magazine, the Washington Post (Brian Krebs), and the Wall Street Journal all have coverage.  Rich has an interesting comment that:

In the “drama” category, we learn that the main perpetrator is the same person who hacked TJX (and multiple other retailers), and was the Secret Service informant who helped bring down the Shadowcrew.

…

This indictment covers breaches of Heartland, Hannaford, 7-Eleven, and two “major retailers” breached in 2007 and early 2008.

…

This is the same Albert Gonzales who was indicted last year for breaches of TJ Maxx, Barnes & Noble, BJ’s Wholesale Club, Boston Market, DSW, Forever 21, Office Max, and Sports Authority.

…

The attacks both sniffed traffic and attempted to identify stored card numbers. They targeted data at rest and in motion.

The Wired article adds:

But these are just the latest in a string of high-profile breaches that have been connected to Gonzalez. He and 10 others were charged in May and August 2008 with network intrusions into TJX, OfficeMax, Dave & Busters restaurant chain and other companies.

…

Using a SQL-injection attack, the hackers allegedly broke into the 7-Eleven network in August 2007, resulting in the theft of an undetermined amount of card data. They allegedly used the same kind of attack to infiltrate Hannaford Brothers in November 2007, which resulted in 4.2 million stolen debit and credit card numbers; and into Heartland on Dec. 26, 2007. Of the two unnamed national retailers mentioned in the affidavit, one was breached on Oct. 23, 2007, and the other sometime around January 2008.

…

Gonzalez was a Secret Service informant who once went by the nickname “Cumbajohnny.” He was a top administrator on a carding site called Shadowcrew when he was arrested in 2003.

…

Gonzalez called his credit card theft ring “Operation Get Rich or Die Tryin.” As Wired.com previously reported, he spent $75,000 on a birthday party for himself and once complained to associates that he had to manually count $340,000 in stolen $20 bills after his counting machine broke.

Stephen Watt, a 25-year-old programmer who was working for Morgan Stanley, created a sniffing program dubbed “blabla” that Gonzalez’s gang used to allegedly siphon credit and debit card numbers from TJX and other companies and is facing sentencing this month.

The Wall Street Journal adds:

The Treasury Department recently reported that of the more than 55,000 incidents of wire fraud since 1998, more than half of them occurred in the past two years.

For the techie in each of you, I’d recommend Rich’s summary of the Visa/FBI/USSS data breach report in February 2009.

Allegations

From all accounts it appears that many of the major payment-card data breaches in the last three years can be attributed to a small handful of people, and perhaps one ringleader. Could this be a normal attack pattern, or were these individuals outliers?  If they were the crest of an even bigger wave of attacks, it does not bode well for corporate America, but if they are statistical anomalies then what would the world look like if we ignored them when measuring the success of the PCI program?

In 2003, Gonzalez, a carder in his own right, was arrested by the Secret Service and turned into a mole to allow them inside of CardersMarket, one of the largest carding rings in the world.  Though Gonzalez was outed at the time by Dave Thomas (aka. Ethics or El Mariachi), many people did not listen to his rants at TheGrifters.net.  Allegedly, Dave Thomas was at the time an informant for the FBI on the same operation.  Later that year, Gonzalez would replace Kim Taylor (aka. MacGyver) as the board manager.

In March 2004, Gonzalez expanded his domain by replacing Dmitry Golubov (aka Script) as board manager for CardersPlanet.

In 2008, Albert “Segvec” Gonzalez, Christopher Scott and Damon Patrick Toey were indited and accused of hacking into TJX Companies and thus exposing 40 million payment-cards.  This 2008 indictment named Aleksandr Suvorov (aka JonnyHell) of Estonia and Maksym Yastremskiy of Ukraine.  Could these be the two “Russian” conspirators that are mentioned in the current indictment of Gonzalez?

But Gonzalez would not have gotten very far had it not been for his friendship with Stephen Watt.  Mr. Watt, a 7 foot tall, 25-year-old programmer, wrote the packet sniffer “blabla” for Gonzalez to capture transactions as they traversed the corporate networks.  Interestingly enough, Watt “graduated from high school at 16 with a 4.37 grade point average and from college at 19″, but had a bug in the software that caused it to deactivate each time the POS was rebooted.

Outliers

Again, I begin to wonder what the world would be like if these personalities had not met or operated in unison.  What would the payment-card world be like without Gonzalez?  It may be a stretch to speculate that this one individual and his actions equate to outlier status. By this measure military dictators and oppressive regimes could also be named outliers even though their affect is quite impactful.

What we are really measuring here is the difference between potential energy and kinetic energy and the catalyst to convert matter from one to the other.  We can assume that there are vulnerabilities in every system and the grater the number the higher the potential energy.  The catalyst, in this case Gonzalez, plays the role in converting that potential energy (vulnerabilities) into kinetic energy (stolen cards and then cash.)  Without the catalyst the measured state would stay the same and as such represent a seemingly stable statistic.

We can ignore this alleged stability in the system by stating that all vulnerabilities have the potential of being converted into cash, but until they are such statements are meaningless (outside of theory modeling.)  To this point we measure vulnerabilities not by their size in population but by how frequently they are exploited.  Without a catalyst to convert the vulnerabilities they contain little value from a metrics perspective of data compromises.

Statistics

According to DataLossDB.org the number of payment-card numbers lost between 2007-2009 equates to the following:

2007: 111,957,179 records

2008: 13,439,242 records

2009: 130,965,494 records (to date)

The total number of records for (almost) three years time = 256,361,915 records.  So, let’s see what these numbers look like if we remove Gonzalez from the picture.  That’s right, let’s throw out the catalyst for the outliers and see what the world of data breaches looks like for the Payment Card Industry.

If we count up the number of records lost due to Gonzalez between 2007-2009 we have the following respectively: 94,000,000 (2007), 4,303,930 (2008), and 130,000,000 (2009).  The revised data for those three years would look as following:

2007: 17,957,179 records (down 84%)

2008: 9,135,312 records (down 32%)

2009:  965,494 records (down 99%)

Analysis

What can we learn from this data?  Well, one can speculate that in the absence of outliers like Gonzalez, the overall volume of credit card fraud is dropping.  In fact, without him we would be coasting through 2009 with very few payment-card related data breaches at all!  I won’t make the mistake you anticipate and confuse correlation with causation.

One could also conclude that payment-card related fraud does not follow a normal Gaussian distribution.  In fact, it appears that payment-card related theft and fraud is statistically closer related to the probability distribution of terrorism than traditional crime statistics.

Taking a business perspective one still needs to be on the lookout for attackers and carders who wish to target your business in an effort to “get rich or dye tryin”.  Wherever there is financial or payment-card data there will be those who wish to plunder and capitalize on it.  One thing we must remember is that underground carding is a business model, albeit an illegal one.

Since my goal is to make your arguments better, here are a few of my personal problems I have with the current PCI-Wars debate.  For those not familiar with logical reasoning, please read up on some of these fallacies.

The following is a list of unbalanced flaws in conversational logic that should be avoided when having a conversation with me about PCI.

1. Companies got hacked so PCI must not work

People like to point at recent data security breaches and claim that because companies have been compromised then of course the standard must not work.  Under the same logic if any company gets compromised then the entire information security industry must have somehow failed us.  People forget to remember that it’s all about: people, process, and technology, not just the industry standard.

2. The PCI DSS is all about “risk transference”

I have to restrain myself physically when people say those naughty two words.  Let’s take a walk down the life cycle of a fraudulent transaction for a moment, completely independent of PCI or compliance.

Merchant “A” accepts a fraudulent payment card and delivers the product to the client.  If a cardholder denies the charge, it’s a charge back and Merchant A must absorb the fraud.  (This is why merchants should maintain strong fraud reduction measures.) In the event of a CPP designation on Merchant “B”, the Issuer may apply for reimbursement from the compromised Merchant B.  To do so they need to apply, through the card brands and Acquiring bank, for reimbursement.  If Merchant B can cover the cost then they will pay for the fraud due to their losing data.  If Merchant B cannot cover the cost, then responsibility resides on their Acquiring bank to pay for the fraud.  In many instances it’s not the compromised merchant that pays for all the externalities resultant from lost or exposed payment card data.

So you can see, a compromised merchant is usually the last one to pay for fraud resulting from data that they lost.  They have always been responsible and PCI DSS does not change that in any way.  Instead, the PCI DSS serves as a metric by which the Acquiring banks can begin to measure their potential exposure to financial loss.

3. PCI compliance is all about making money for someone else

Whoa there cowboy!  Remember that the card brands, issuers, and acquirers all spend money on trying to keep merchants and service providers secure.  They put time, money, and resources into developing the program and educating others about it.

The participants: the QSAs, ASVs, infosec vendors, etc. all already existed before PCI ever came alone, they were just called “security consultants”, “Internet vulnerability scanners”, and “product vendors”.  Changing the name of a company doesn’t change the game.  Most merchants forget a small fact that every level of merchant is allowed to self assess if they wish.  Level 1 merchants can use their internal audit group or a QSA, and Levels 2-4 all use the Self-Assessment Questionnaire (SAQ).  The reason companies pay consultants to help them out is the same reason I hire an electrician to rewire my house.  They have experience with it.

I’ve got a deal for you.  You promise to never lose or expose payment card data then I’ll wave my hand and say “this isn’t the non-compliant company you are looking for.”

4. Credit card theft is part of identity theft

Pardon? Ok, in the metaphysical world where everyone sings coombyya then, yes, credit card theft is part of identity theft.  In that same world so is automobile theft, library card theft, and friends using your Costco membership.  I read recently that, “The Federal Trade Commission (FTC) estimates that 50 billion is lost annually due to identity theft and credit card fraud.”  Without context we have no way of understanding this number.  We need to define “identity theft” or else we should include the automobile theft statistics, because if someone steals your car and gets ticketed, isn’t that your identity as well?

Credit card theft has so little impact on the cardholders that almost every issuing bank waves the $50 service fee, and reissues a card within 7-10 days.  If someone steals my SSN, and uses it, the cost to me could take years of work to reverse.

5. PCI just enables checklist security

Yes, just like every other security checklist that ever came before it.  That’s like saying a wheel is only a tool.  Correct, but if that wheel is a racing tire and put on a Formula-1 car it can do good things.  If you hang that wheel on your front door hoping it will ward off evil, I suggest altering your philosophical beliefs.  Companies need to learn how to use the PCI DSS to enable security within their payment card environment and not follow it alone.

The problem occurs on the implementation side when companies with no prior security adopt the PCI DSS as their information security management system, which it was never designed to be (IMHO).  Companies must integrate the PCI DSS into their overall security framework and not use it to replace one.

6. A “compliant” company was compromised so the standard must not work

This is not true.  Please see also: compliance vs validation.  The Visa website provides a “Global List of PCI DSS Validated Service Providers“.  I don’t see the word compliant in there once.  In fact, if we open the PDF and read the first sentence it says, “The companies listed below were validated as being PCI DSS compliant by a QSA as of the ‘VALIDATION DATE’.”  What this means is that a company validated they were compliant one day of the year.  What that company does the other 364 days of the year is an unknown, until the forensic investigation team shows up.

7. Merchants are required to maintain the PAN

Ugh… In late 2007 60 Minutes did a broadcast that contained some misinformation.  One of the people being interviewed claimed that the credit card brands require companies to store the Primary Account Number (PAN), one of the basic elements in authorizing credit card transactions.  I know one person who had to restrain himself from throwing things at his TV after hearing this.  The payment card brands (i.e. Visa) had long since changed their rules and do not require merchants to retain the PAN after authorization and settlement of transactions.  This informaiton has not been widely disseminated to the pupulation.

Regarless, this is still a weak argument, since we know that the vast majority of payment card fraud has nothing to do with just the PAN, but instead the resale and illegal use of sensitive authentication data (track data, CVV2, PIN block).  And this, everyone universally agrees, should not be retained or available to hackers.

8. PCI is reactionary and not preventative

The PCI SSC has stated they will update the PCI standards on a 2-year basis.  When updating these standard, I assume, they will use data breach information and feedback from the industry itself to keep the document as up-to-date and usefull as possible.  When we saw web-application data breaches on the rise, the PCI DSS was updated to include Requirement 6.6 which helped address the problem.

Only by understanding the patterns of attack can be better help companies repel these forces.

Please also remember that the PCI SSC is contributed to by the Participating Organizations who provide feedback on a regular basis.  If you want to get involved then join as a member.

9. PCI is too much! or PCI sucks!

Let’s all chant together, “Tastes great! Less filling!”  Most people get less 5th grade about it and say, “PCI is too specific” and others say, “PCI is too vague”, while still other cynics claim, “… no, it’s specifically vague!”  Wrong, wrong, wrong.  If PCI is too much then why don’t you just secure your data and call it a day.  If your security foo is so good then validate as such.  Also, remember #5.

Jack Daniel said it this way, “PCI sucks. But it sucks less than doing nothing, which is the normal alternative. Real security would be better. So would unicorns.”  If PCI is painful then I begin to wonder why.  Perhaps you don’t fully understand the scope, intent of requirements, or how to best secure your infrastructure?  Perhaps you understand all these but still cannot achieve compliance due to a flat network topology or other scope issues.  This is when I remind you that the overall intent of the PCI DSS is to prevent the paper and electronic theft of payment card data.  If you can understand and achieve this, then it’s all you need.

10. PCI is not enough!

To this I agree, but not that we need more regulation or more security products.  I think people need to expand their insight into the intent behind the requirements and the standard itself.  In the last paragraph I stated that meeting the intent facilitates compliance.  Let’s take this to the next logical conclusion.

While many security people are happy to help you “carpet bomb security” by securing every system to the 9′s, why don’t we start talking about scope reduction and eliminating systems from scope.  The PCI Answers blog lists for us several product vendors that support end-to-end encryption.  Other people have begun creative ways to remove data from scope instead of securing it.

By removing data from scope, and finding more creative ways of securing the data we do store, we are going well beyond simple compliance into the realm of sound security practices.  The PCI DSS exists as a minimum bar to which those who have little security in place can aspire.